CVE-2026-39843
Published: 09 April 2026
Summary
CVE-2026-39843 is a high-severity SSRF (CWE-918) vulnerability in Plane Plane. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates and sanitizes user-supplied favicon URLs and redirects to block SSRF access to private IP addresses.
Enforces approved information flow policies to restrict server-side requests to internal resources initiated from untrusted user inputs like malicious HTML links.
Remediates the specific SSRF flaw by timely applying patches, such as upgrading to Plane version 1.3.0 which completes the redirect validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app (Plane) directly enables exploitation of the application to access internal resources via crafted input in the Add link feature.
NVD Description
Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with…
more
an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.
Deeper analysisAI
CVE-2026-39843 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the open-source project management tool Plane in versions from 0.28.0 up to but not including 1.3.0. The issue stems from an incomplete remediation of the prior GHSA-jcc6-f9v6-f7jw advisory. Specifically, while redirects for the main page URL are validated during the "Add link" feature, the favicon fetch path in the fetch_and_encode_favicon() function uses requests.get(favicon_url, ...) with default redirect-following enabled, allowing SSRF. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope.
An authenticated attacker with low privileges can exploit this by supplying a normal HTML page containing a link tag with an href that redirects to a private IP address via the "Add link" functionality. The server will fetch the favicon from the redirected private endpoint, enabling full read access to internal resources without user interaction required.
The GitHub security advisory at https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j details the issue and confirms it is fixed in Plane version 1.3.0, recommending users upgrade to mitigate the vulnerability.
Details
- CWE(s)